CVE-2020-14930 : What You Need to Know

An issue was discovered in BT CTROMS Terminal OS Port Portal CT-464 where an account takeover vulnerability exists due to the password-reset feature disclosing the verification token to an unauthenticated HTTP client.

Understanding CVE-2020-14930

This CVE involves a security issue in the CTROMS Terminal OS Port Portal CT-464 that can lead to an account takeover.

What is CVE-2020-14930?

The vulnerability allows an attacker to take over user accounts by intercepting the verification token transmitted during the password-reset process.

The Impact of CVE-2020-14930

The disclosure of the verification token to an unauthenticated HTTP client poses a significant security risk, potentially leading to unauthorized access to user accounts.

Technical Details of CVE-2020-14930

This section provides more technical insights into the vulnerability.

Vulnerability Description

The issue arises from the password-reset feature in CTROMS Terminal OS Port Portal CT-464, which inadvertently exposes the verification token.

Affected Systems and Versions

Product: CTROMS Terminal OS Port Portal CT-464
Vendor: BT
Version: Not applicable

Exploitation Mechanism

The vulnerability occurs when the verification token is transmitted to both the registered phone number and an unauthenticated HTTP client, enabling attackers to intercept the token.

Mitigation and Prevention

To address CVE-2020-14930, follow these mitigation strategies:

Immediate Steps to Take

Disable the password-reset feature until a patch is available.
Monitor user accounts for any unauthorized access.

Long-Term Security Practices

Implement multi-factor authentication to enhance security.
Regularly update and patch the system to prevent similar vulnerabilities.

Patching and Updates

Apply patches provided by the vendor promptly to fix the vulnerability and enhance system security.